I - Ainendments to the Claims 

Please amend the claims as follows with the following 
version of the claims in accordance with revised 3 7 CFR § I.121. 
1. (Currently Amended) A method for controlling access to protected 
resources within a distributed data processing system, the method comprising: 

receiving at a first server from a client a request to 
access -a protected resource and a single-use token associated 
with the client or a user of the client; 

validating the single-use token, wherein the single-use 
token comprises session information for performing session 
management with respect to the client; 

determi ninq that the single-use token is a domain token; 
generating a client authorization credential request; 
sending to a second server the client authorization 
credential request, the sina le-use domain token associated with 
the client or the user of thp r^ Uent, and a single-use domain 
token associated with the first server, wherein the first server 
and the secon d server are operated within a common domain; 
generating a response to the request; 
refreshing the single-use token; and 

sending the response and the refreshed single-use token to 
the client. 

2. (Currently Amended) The method of claim 1 further 
comprising : 

^^^^A™?™ ^ tarmining that th e -L in g l u- ucc token io g 
single^use service token, wherein the single-use e service token 
is issued by the first server; and 

refreshing the single-use service token at the first 
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3. (Original) The method of claim 1 wherein the sess 
information in the single-use token is a session key. 

4 - (Canceled) . 
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5. (Currently Amended) The method of claim 1 4 further 
comprising : 

validating at the second server the single-use domain token 
associated with the client or the user of the client and the 
single-use domain token associated with the first server; 

generating the client authorization credential; 

refreshing at the second server the single-use domain token 
associated with the client or the user of the client and the 
single-use domain token associated with the first server; and 

sending to the first server the client authorization 
credential, the refreshed single-use domain token associated 
with the client or the user of the client, and the refreshed 
single-use domain token associated with the first server. 

6. (Original) The method of claim 5 further comprising: 

storing the client authorization credential at the first 
server ; 

generating a single-use service token associated with the 
client or the user of the client; 

and sending to the client the single-use service token 
along with the response and the single-use domain token. 

7. (Original) The method of claim 1 further comprising: 

receiving a login request from the client at the second 
server; 

challenging the client to provide authentication data; 
receiving authentication data from the client; 

authenticating the client; generating a single-use domain 
token associated with the client or the user of the client; 

generating an authentication response; and 

sending the authentication response and the single-use 
domain token to the client. 
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8. (Original) The method of claim 7 further comprising: 

determining that the login request is a redirected request 
from the first server; and 

modifying the authentication response to redirect the 
client to the first server. 

9. (Currently Amended) An apparatus for controlling access to 
protected resources within a distributed data processing system, 
the apparatus comprising: 

means for receiving at a first server from a client a 
request to access a protected resource and a single-use token 
associated with the client or a user of the client; 

means for validating the single-use token, wherein the 
single-use token comprises session information for performing 
session management with respect to the client; 

me ans for determining that the single-use token is a domain 
token ; 

means for generating a client authorization credential 
request; 

means for sending to a second server the client 
authorization credential request, the single-use domain token 
associated with the client or the user of the client, and a 
single-use domain token associated with the first server, 
wherein the first server and the second server are operated 
within a common domain; 

means for generating a response to the request; 

means for refreshing the single-use token; and 

means for sending the response and the refreshed single-use 
token to the client. 

10. (Currently Amended) The apparatus of claim 9 further 
comprising; 



Page 5 
Williams - 09/896, 195 



means for receiving determining that the oinglc ~ use ■ tokC ' R-- 
^ single-u se service token, wherein the single-use a service 
token is issued by the first server; and 

means for refreshing the single-use service token at the 
first server. 

11. (Original) The apparatus of claim 9 wherein the session 
information in the single-use token is a session key. 

12 . (Canceled) . 

13. (Currently Amended) The apparatus of claim 9_i2- further 
comprising : 

means for validating at the second server the single-use 
domain token associated with the client or the user of the 
client and the single-use domain token associated with the first 
s e r ve r ; 

means for generating the client authorization credential; 

means for refreshing at the second server the single-use 
domain token associated with the client or the user of the 
client and the single-use domain token associated with the first 
server; and 

means for sending to the first server the client 
authorization credential, the refreshed single-use domain token 
associated with the client or the user of the client, and the 
refreshed single-use domain token associated with the first 
server . 

14. (Original) The apparatus of claim 13 further comprising: 

means for storing the client authorization credential at 
the first server; 
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means for generating a single-use service token associated 
with the client or the user of the client; and 

means for sending to the client the single-use service 
token along with the response and the single-use domain token. 

15. (Original] The apparatus of claim 9 further comprising: 

means for receiving a login request from the client at the 

second servers- 
means for challenging the client to provide authentication 

data; 

means for receiving authentication data from the client; 
means for authenticating the clients- 
means for generating a single-use domain token associated 

with the client or the user of the client; 

means for generating an authentication response; and 
means for sending the authentication response and the 

single-use domain token to the client. 

16. (Original) The apparatus of claim 15 further comprising: 
means for determining that the login request is a 

redirected request from the first server; and 

means for modifying the authentication response to redirect 

the client to the first server. 
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17. (Currently Amended) A computer program product on a 
computer readable medium for controlling access to protected 
resources within a distributed data processing system, the 
computer program product comprising: 

5 instructions for receiving at a first server from a client 

a reguest to access a protected resource and a single-use token 
associated with the client or a user of the client; 

instructions for validating the single-use token, wherein 
the single-use token comprises session information for 
10 performing session management with respect to the client; 

instructions for determining that the single-use token is a 
domain token; 

instructions for gen e rating a client authorization 
credential request; 
15 instructions for sending t o a second serv e r the clien t 

authorization credential re qu est, the single-use domain token 
associated with the client or the user of the client, and a 
single-use domain token associated with the first server, 
wherein the first server and the second server are operated 
2 0 within a common domain ; 

instructions for generating a response to the request; 

instructions for refreshing the single-use token; and 

instructions for sending the response and the refreshed 
single-use token to the client. 

25 

18. (Currently Amended} The computer program product of claim 
17 further comprising: 

instructions for receiving determining that the oinglc - uS ' G- 
token is a single-use service token, wherein the single-use a— 
30 service token is issued by the first server; and 

instructions for refreshing the single-use service token at 
the first server. 
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19. (Original) The computer program product of claim 17 wherein 
the session information in the single-use token is a session 
key. 

20. (Canceled) . 

21. (Currently Amended) The computer program product of claim 
17 ^ further comprising: 

instructions for validating .at the second server the 
single-use domain token associated with the client or the user 
of the client and the single-use domain token associated with 
the first server; 

instructions for generating the client authorization 
credential ; 

instructions for refreshing at the second server the 
single-use domain token associated with the client or the user 
of the client and the single-use domain token associated with 
the first server; and 

instructions for sending to the first server the client 
authorization credential, the refreshed single-use domain token 
associated with the client or the user of the client, and the 
refreshed single-use domain token associated with the first 
server . 

22. (Original) The computer program product of claim 21 further 
comprising: 

instructions for storing the client authorization 
credential at the first server; instructions for generating a 
single-use service token associated with the client or the user 
of the client; and 
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instructions for sending to the client the single-use 
service token along with the response and the single-use domain 
token. 

23. (Original) The computer program product of claim 17 further 
comprising : 

instructions for receiving a login request from the client 

at the second server; 

instructions for challenging the client to provide 

authentication data-- 
ins true t ions for receiving authentication data from the 

client; instructions for authenticating the client; 

instructions for generating a single-use domain token 

associated with the client or the user of the client; 

instructions for generating an authentication response; and 
instructions for sending the authentication response and 

the single-use domain token to the client. 

24. (Original) The computer program product of claim 23 further 
comprising: 

instructions for determining that the login request is a 
redirected request from the first server; and 

instructions for modifying the authentication response to 
redirect the client to the first server. 
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